Researcher cracks SHA-1 hashes for $2.10 with Amazon’s cloud service

This site may earn affiliate commissions from the links on this page. Terms of use.

German security researcher Thomas Roth was able to crack 14 SHA1-encrypted hashes in just 49 minutes, renting CPU time on Amazon’s cloud computing infrastructure, at a cost of just $2.10.

Roth’s experiment demonstrated just how easy it is these days to crack codes encrypted with the SHA1 encryption algorithm using brute-force techniques. There is nothing particularly remarkable about this; security researchers have known for a while that modern CPUs are capable of breaking weak SHA1 hash codes relatively quickly. Additionally, Roth only used relatively short passwords (1 – 6 characters in length) for his experiment.

What was interesting was the approach he took. Instead of constructing his own code-breaking monster machine, or leaving a regular PC to churn through the codes over a long period of time, he simply ran his cracking software on an Amazon EC2 pay-as-you-go cloud computing cluster.

For his experiment, Roth made use of the new GPU cluster configuration offered by Amazon. The Amazon EC2 website explains the benefits of their new GPU cluster services like this:

While Cluster Compute Instances provide the ability to create clusters of instances connected by a low latency, high throughput network, Cluster GPU Instances provide an additional option for applications that can benefit from the efficiency gains of the parallel computing power of GPUs over what can be achieved with traditional processors.

Roth was quick to see the implications of this for code-breaking. Explaining his motivation in a blog post, Roth said:

GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes?

The results were impressive; all 14 hashes were cracked within 49 minutes using off-the-shelf CUDA Multiforcer software at a total cost of less than $2.10 (the price for an hour of computing time).

Critics of the experiment have pointed out that the relatively weak, short passwords Roth used could be easily cracked by a desktop machine, given a few more hours. These critics have totally missed the point; Roth was not setting out to show that $2.10 and an hour on EC2 would be enough to crack the toughest of passwords, but rather that the advent of for-rent cloud computing capacity heralds new opportunities for determined crackers and new challenges for computer security.

Most password systems that employ SHA-1 do not simply hash the password, but use hashes of hashes (modern Linux passwords, for example, are hashed 5000 times), making a brute-force attack more expensive and time consuming.

Nevertheless, Roth has demonstrated that brute-force cracking with computing power once only available to government agencies is now within reach of any determined individual. Since EC2 scales so well, cracking tougher passwords becomes primarily a financial challenge, rather than a logistical impossibility. For a relatively modest financial outlay, employing free-to-use software and pay-by-the-hour cloud capacity, anybody can break previously impenetrable digital locks.